Privacy, Data Security & FTC Reform

There may be no Federal agency whose importance is more underappreciated than the Federal Trade Commission. Section 5 of the FTC Act gives the Commission sweeping jurisdiction — over nearly every company in America — and broad powers over unfair and deceptive acts and practices and unfair methods of competition. The FTC has increasingly wielded these powers over the high tech sector, becoming the de facto Federal Technology Commission.

Much of what the FTC does is uncontroversial, including routine antitrust, fraud and advertising cases. Yet as the FTC has dealt with cutting-edge legal issues, like privacy, data security and product design, it has raised deep concerns not merely about the specific cases brought by the FTC, but also about the agency drifting away from the careful balance it struck in its 1980 Unfairness Policy Statement and its 1983 Deception Policy Statement.

More broadly, privacy and data security have become an increasingly important concern for lawmakers and courts. Routine data breaches and data leaks, discovered security vulnerabilities, and hacking incidents have repeatedly exposed the fault lines in our legal system around data usage.

ICLE’s scholars work on the frontiers of privacy and data security, and have a deep expertise on the FTC’s historical and contemporary practices.

The Eleventh Circuit’s LabMD opinion came out last week and has been something of a rorschach test for those of us who study consumer protection law. Neil Chilson found the result to be a disturbing sign of slippage in Congress’s command that the FTC refrain from basing enforcement on “public policy.” Berin Szóka, on the other hand, saw the ruling as a long-awaited rebuke against the FTC’s expansive notion of its “unfairness” authority.

Although the FTC is well-staffed with highly skilled economists, its approach to data security is disappointingly light on economic analysis. The unfortunate result of this lacuna is an approach to these complex issues lacking in analytical rigor and the humility borne of analysis grounded in sound economics.

In its description of this workshop, the Commission notes that “consumers may suffer injury when information about them is misused,” and suggests that this workshop “will address questions such as how to best characterize these injuries, how to accurately measure such injuries,” and so on.

Section 5 of the Federal Trade Commission Act, 15 U.S.C. § 45 [“Section 5”], is a consumer protection statute, not a data security rule...This fundamental point has been lost in the Commission’s approach to data security.

It's hardly an overstatement to claim that data is (or is fast becoming) the lifeblood of the modern economy. As new business models built on innovative uses of data emerge in the economy, these businesses are confronted with increasing regulatory constraints that may work to limit both the scope of their operation as well as their corporate structure.